Memory Forensics in Incident Response Flashcards

Question

How is the on-disk memory image for VirtualBox different from most other virtualization products?

Answer 1

It only holds memory in use, not a complete image of memory. (16)

Answer 2

Run a memory acquisition tool within the virtual guest.

Answer 3

Volatility

Answer 4

``` .vmem - VMware raw memory .vmss - VMware contains memory image .vmsn - VMware contains memory image .bin - Microsoft Hyper-v memory image .vsv - Microsoft Hyper-v save state .mem - Parallels raw memory image .sav - VirtualBox partial memory image (16) ```

Answer 5

A Windows hibernation file a compressed copy of RAM at the time of hibernation.

Answer 6

Volatility's imagecopy or MoonSols hibr2bin.exe

Answer 7

BulkExtractor Magnet Forensics Internet Evidence Finder Volatility Belkasoft Evidence Center

Answer 8

powercfg.exe (review the options p 20)

Answer 9

Study of data captured from memory of a target system, including RAM and virtual memory.

Answer 10

* Data is a snapshot in time, with dramatic changes possible moment to moment * Complicated to establish context because there's more information than just files and directories * Data is formatted for execution, not to be extracted and understood, so analysis is more complicated.

Answer 11

* Still requires forensically clean procedure * Still requires putting memory in context, but memory has a more complicated architecture than disk filesystems. * Still requires analyzing the raw results to understand what the data means

Answer 12

Executing a program to capture memory modifies memory.

Answer 13

Kernel Debugger Datablock (lots more on p.24)

Answer 14

Signature, contradiction, heuristic/behavioral (26)

Answer 15

1. Identify rogue processes 2. Analyze process DLLs and handles 3. Review network artifacts 4. Look for evidence of code injection 5. Check for rootkit signature 6. Dump suspicious processes and drivers

Answer 16

Malware Risk Index. (42)

Answer 17

1. Behavior rule set | 2. Verification of digital signatures

Answer 18

1. Process path verification 2. Process user verification 3. Process Handle Inspection (does a process like svchost have a handle to cmd.exe?) 4. DLL load order issues (evidence of DLL hijacking)

Answer 19

It can only be done in live memory analysis.

Answer 20

1) Unmapped processes 2) Processes started by command shell 3) DLL load order/hijacking 4) Expected command line arguments

Answer 21

1) Correct image/executable names 2) Correct file location (path) 3) Correct parent process 4) Correct command line and parameters 5) Start time information 6) Security identifies (SID)

Answer 22

A pointer to a resource such a file directory registry key, mutex or semaphore, or event.

Answer 23

DLLs, handles, threads, memory sections sockets.

Answer 24

In Windows, it's a Virtual Address Descriptor tree and maintains a list of assigned memory sections.

Answer 25

A network connection endpoint.

Answer 26

svchost.exe

Answer 27

Only by looking at process objects. Because it uses injection into svchost.exe, SID, launch time, path, and parent process are normal.

Answer 28

The principle that anything related to malware should be uncommon on a system or enterprise. Sorting a list based on occurrences and looking at the least frequently occuring items can be useful. (56)

Answer 29

It might be a sign of malice, but not always. There are legitimate objects that only appear in one windows process.

Answer 30

Less than 50, but you can create your own.

Answer 31

* suspicious ports * suspicious connections * suspicious processes (should it be communicating over the network at all?)

Answer 32

A non-browser communicating over port 80/443/8080 A browser communicating over a port other than 80/443/8080. Connections to unexplained IP addresses Web requests directly to an IP RDP connections (3389) particularly from odd IPs. DNS requests for unusual names

Answer 33

They're usually routed through a VPN concentrator.

Answer 34

Known bad IPs, domains, or filenames. http://, https://, ftp:/.

Answer 35

Very common.

Answer 36

Allocate space in a running process, shove the DLL into it, create a new thread to load the DLL into the process. or Hook a process's filter functions using SetWindowsHookEx().

Answer 37

VirtualAllocEx() | CreateRemoteThread()

Answer 38

An unnamed memory section containing executable code attached to a victim process.

Answer 39

Start a copy of a legitimate system process, pause the process, de-allocate some of the original code and replace it with malicious code.

Answer 40

It retains the original executable's process image name, path, and command line. Camouflage.

Answer 41

Page_Execute_ReadWrite (72)

Answer 42

It's not backed by a file on disk.

Answer 43

If the image binary is not backed by a file on disk (unmapped), it's a strong indicator of process hollowing. (77)

Answer 44

More advanced techniques like code injection are easy to find with memory analysis, and tools like Redline makes it easy.

Answer 45

By hooking legitimate system functions and redirecting output.

Answer 46

The System Service Descriptor Table (89)

Answer 47

NtEnumerateKey NtEnumerateValueKey NtQueryDirectoryFile (91(

Answer 48

There are so many legitimate hooks that have to be eliminated first. Lots of 3rd party drivers.

Answer 49

Least Frequency of Occurrence. Most malware hooks sparingly and may hook functions that no or few other applications do.

Answer 50

A spam bot.

Answer 51

It hooks IRP_MJ_DEVICE_CONTROL function within tcpip.sys.

Answer 52

It hides the existence of system object like processes, files, registry keys, and network artifacts.

Answer 53

Processes tab in Analysis Data Pane, double click the process of interest within the Table View pane and select MRI Report from the Full Detailed Information tabs at the bottom fo the window. That contains "Acquire Process Address Space"

Answer 54

By default %user profile%\AppData\Local\Temp\AgentAcquisition in a password protected zip archive (prevents AV quarantining)

Answer 55

An "extended length path" in Windows. (99)

Answer 56

* Scan for malware | * Study the assembly code (ugh...)

Answer 57

Scans a file with over 40 different AV engines.

Answer 58

Anything you upload is public domain. A safer option is to upload a MD5 of the suspect file.

Answer 59

Threat Expert and GFI Sandbox.

Answer 60

* Faster triage * Includes the system pagefile * More accurate heuristic matching * Digital signature checks of process executables, DLLs, drivers with a known good whitelist * Indicator of Compromise searches using pre-defined IOC files.

Answer 61

It accesses physical memory, not relying on API calls, open handles, or debuggers.

Answer 62

Proof of concept code that pages itself out of memory when a memory acquisition tool is detected. (107)

Answer 63

A framework for performing digital investigations on Windows, Linux, and Mac memory images. (121)

Answer 64

It's open source, from https://code.google.com/p/volatility/

Answer 65

The Volatility wiki: https://code/google.com/p/volatility/wiki/CommandReference23 (for version 2.3)

Answer 66

vol.py -f [image] [plugin] --profile=[PROFILE]

Answer 67

They tell the program what to do.

Answer 68

They specify which operating system version you're analyzing.

Answer 69

Use the VOLATILITY_LOCATION environment variable. For example export VOLATILITY_LOCATION=file://(path)

Answer 70

imageinfo (p124)

Answer 71

Book 2 p. 125.

Answer 72

Book 2, p. 126-9.

Answer 73

A fork of Volatility that focuses on speed and performance.

Answer 74

rekall -f memory.img psscan (130)

Answer 75

Google Rapid Response (research this) p. 130.

Answer 76

Volatility does, Rekall doesn't.

Answer 77

https://code.google.com/p/rekall

Answer 78

It's a Volatility plugin that returns information like system date and time when the image was collected, KPCR, number of processors, operating system and service pack information.

Answer 79

Give them the location of the KDBG using -g 0xADDRESS. Use imageinfo to get it.

Answer 80

imageinfo. Also the virtual address of the KdCopyDataBlock found via the kdbgscan plugin.

Answer 81

A volatility plugin that prepares non-standard memory images for analysis.

Answer 82

hibr2bin.exe (134)

Answer 83

pslist psscan pstree pstotal

Answer 84

Print all running processes by following the EPROCESS linked list (even in LInux?)

Answer 85

-p (show information for specific process IDs)

Answer 86

``` Virtual offset of EPROCESS block Process name Process ID (PID) Parent Process ID Number of threads Number of handles Process start time ```

Answer 87

Rootkits can unlink malicious processes from the linked list rendering them invisible (really? how do they run?)

Answer 88

It should have zero handles and zero threads.

Answer 89

A Volatility plugin that scans physical memory for EPROCESS pool allocations.

Answer 90

Psscan scans memory rather than following the EPROCESS list, so it can find unlinked/hidden processes, and processes that are no longer running.

Answer 91

``` Physical offset of EPROCESS block Process name Process ID Parent Process ID Page directory base offset (PDB) Process start time Process exit time ```

Answer 92

Process ID

Answer 93

Physical offset in memory

Answer 94

Just that it was moved around in physical memory.

Answer 95

A volatility plugin that displays the process list as a tree.

Answer 96

-v for verbose information including image path and command line for each process.

Answer 97

It uses the EPROCESS linked list, so doesn't show unlinked/hidden processes.

Answer 98

Visually identifying malicious processes spawned by the wrong parent process.

Answer 99

``` Virtual offset of EPROCESS block Process name PID PPID Number of threads number of handles process start time (146) ```

Answer 100

A Volatility plugin that scans physical memory for EPROCESS pool allocations and identifies hidden processes only found in psscan output.

Answer 101

- -output-file=OUTPUT FILE - -output=dot for vector capable output - c or --cmd to display command line including path

Answer 102

Red - Process is absent from pslist and has no exit time. Investigate. Grey - Process is absent from pslist but has an exit timestamp. Probably just an exited process. Light blue - Exit time is before the most recent boot. Probably leftover in memory image. Dark blue - Exit time is after the most recent boot Yellow - Indication of potential PID reuse.

Answer 103

``` Correct image/executable name Correct file location (path) Correct parent process Correct command line and parameters Correct start time information ```

Answer 104

``` dlllist cmdline getsids handles filescan svcscan cmdscan consoles ```

Answer 105

A Volatility plugin that displays loaded DLLs and the command line to start each process.

Answer 106

Use the Volatility dlldump plugin.

Answer 107

Process Environment Block (156)

Answer 108

Base offset DLL size DLL file path

Answer 109

ldrmodules (156, more)

Answer 110

A volatility plugin that displays Security IDentifiers for each process?

Answer 111

The SID for LocalSystem (161)

Answer 112

The SID for Administrators

Answer 113

The SID for Everyone

Answer 114

The SID for Authenticated Users

Answer 115

The SID for System Mandatory Level

Answer 116

http://technet.microsoft.com/en-us/libraray/cc783557(v=ws.10).aspx

Answer 117

The SID for Guests

Answer 118

The SID for Users.

Answer 119

A Windows instance. Domain SIDs are unique throughout the enterprise.

Answer 120

LocalSystem, LocalService, NetworkService.

Answer 121

Prints a list of handles opened by a process

Answer 122

- p PID (can comma separate multiple) | - t type (there are about a dozen on p 165.)

Answer 123

mutantscan

Answer 124

Scans memory image for Windows service records, giving information on associated processes and drivers

Answer 125

-v (show service DLL)

Answer 126

Windows Service

Answer 127

SERVICE_AUTO_START entries should be examined.

Answer 128

Drivers can be loaded via a service, so can be found using Volatility's svcscan module.

Answer 129

Volatility's svcscan module.

Answer 130

Enumeration of services

Answer 131

A special type of process that is intended to be run in the background without user input.

Answer 132

...both process executables and drivers.

Answer 133

Volatility.

Answer 134

``` Offset Order Start method (Disabled, System_Start, Boot_Start, Auto_Start, Demand_Start) Process ID Service Name Display Name Type (Process or driver) State (Running or stopped) Full path ```

Answer 135

Identifies what DLL started a service by parsing the SYSTEM\CurrentControlSet\Services\\Parameters\ServiceDLL registry key.

Answer 136

Also identify services which should be running, but which have been stopped.

Answer 137

Windows updates and antivirus. (170)

Answer 138

That a service will start on system boot.

Answer 139

Volatility modules that carve out full command histories and text console output from a memory image.

Answer 140

By scanning the VAC tree of csrss.exe and conhost.exe, in particular the DOSKEY command history buffer kept by cmd.exe.

Answer 141

CONSOLE_INFORMATION

Answer 142

A memory structurethat includes the console buffer, showing input and output those commands generated. It is parsed by the consoles Volatility plugin.

Answer 143

Consoles only parses records from consoles active when memory was dumped. cmdscan can recover current and old remnants of command history buffers.

Answer 144

Command process (where was history information found) PID CommandHistory (offset where history structure found) (more on 174)

Answer 145

DLLs, Handles, Services.

Answer 146

``` connections connscan sockets sockscan netscan ```

Answer 147

They're the only ones that are operating system dependent. Radical changes were made starting in Vista. With Vista or later netscan must be used.

Answer 148

They are Volatility plugins that identify network connections.

Answer 149

It wanks the TCP connections singly linked list to find active network connections when the memory image was taken.

Answer 150

It takes a brute force approach scanning anything in memory that resembles a _TCPT_OBJECT and tries to parse it.

Answer 151

It attempts to parse objects which might no longer be in use, and which might have been partially overwritten. The results can be incorrect.

Answer 152

memory offset local ip address remote ip address PID

Answer 153

A PID that shouldn't be communicating on the network but that is. A legitimate PID that exhibits this behavior may have been compromised.

Answer 154

They're all closed prior to hibernation, so connscan is still effective, but connections wouldn't return any results.

Answer 155

It generally shouldn't have any external connections.

Answer 156

They're Volatility plugins that enumerate network sockets.

Answer 157

It walks the singly linked list and reports information on the socket objects.

Answer 158

It scans memory images looking for _ADDRESS_OBJECT objects and parses them.

Answer 159

Creation time. | A process with a passive listening socket on a suspicious port.

Answer 160

Which sockets were alive and which were terminated or unlinked.

Answer 161

Suspicious ports Suspicious connections Known bad IPs Suspicious network behavior from processes Interesting creation times of network sockets

Answer 162

No errors are generated, so you can use the wrong one without realizing it.

Answer 163

``` malsysproc openioc_scan baseline processbl servicebl driverbl ```

Answer 164

Automatically identifies suspicous processes

Answer 165

Scans memory objects using OpenIOC signature files.

Answer 166

Provides processbl servicebl, driverbl for baseline comparisons.

Answer 167

Compare processes and loaded DLLs with a baseline image.

Answer 168

Comapres services with a baseline image.

Answer 169

Compares drivers with a baseline image.

Answer 170

Scan system processes for anomalies to find malware pretending to be legitimate system processes.

Answer 171

Only scans common system processes (smss, csrss, winlogon, services, lsass, svchost, spoolsv, wininit), and common misspellings. (188)

Answer 172

It's a fork of malsysproc that adds useful checks like anomalous process SIDs and process hollowing.

Answer 173

Compares memory objects found in a suspect image to those present in a known good image.

Answer 174

- B (baseline image) - U (only show items not found in the baseline) - K (only show items present in the baseline) (190)

Answer 175

malfind, ldrmodules

Answer 176

It's a Volatility plugin that scans process memory sections looking for indications of code injection, then extracts those sections for further analysis.

Answer 177

Is this suspicous in itself? (202)

Answer 178

PUSH EBP | MOV EBP, ESP

Memory Forensics in Incident Response Flashcards

(251 cards)